Skip to content

Latest commit



154 lines (112 loc) · 6.58 KB

File metadata and controls

154 lines (112 loc) · 6.58 KB

Welcome to XproxyApp

The XproxyApp is a client for Xproxy on iOS and macOS, and Xproxy is a user-space VPN. The Xproxy dir in this repo is different with the Xproxy (see, the former is a http/https proxy, the later is a SOCKS5 proxy.


on iPhone Status View Servers View New Server View Settings View

on iPad Status View Servers View New Server View Settings View

on Mac Menu bar Status View Servers View New Server View Settings View

System Requirements

iOS 16.0 or later macOS 14.0 or later


NetworkExtension on iOS doesn't provide proxy settings for socks, but it has two kinds of proxy settings: http and https. We can setup http and https proxy settings in startTunnel() of NEPacketTunnelProvider like this:

    var localProxyAddres = ""
    var localProxyPort = 8080

    let networkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "")
    networkSettings.mtu = 1500

    let ipv4Settings = NEIPv4Settings(addresses: [""], subnetMasks: [""])
    let proxySettings = NEProxySettings()

    // set the http proxy
    proxySettings.httpEnabled = true
    proxySettings.httpServer = NEProxyServer(address: localProxyAddress, port: localProxyPort)

    // set the https proxy
    proxySettings.httpsEnabled = true
    proxySettings.httpsServer = NEProxyServer(address: localProxyAddress, port: localProxyPort)

    proxySettings.matchDomains = [""]
    // exception list
    proxySettings.exceptionList = exceptionList

    networkSettings.proxySettings = proxySettings
    networkSettings.ipv4Settings = ipv4Settings

    setTunnelNetworkSettings(networkSettings) { error in
        guard error == nil else {

        if (start_local_proxy() == 0) {
        } else {

start_local_proxy() will run a local http/https proxy server (local-proxy) which is listening on the localProxyPort, the system will redirect all the http and https traffics except the domains in the exceptionList to the local-proxy.

    ┌ ─ ─ ─ ┐     0. http request    ┌ ─ ─ ─ ─ ─ ─ ─ ┐                          ┌ ─ ─ ─ ─ ─ ─ ─ ┐                ┌ ─ ─ ─ ─ ─ ┐
    |       |"GET|  local-proxy  |1. SOCKS5 CONNECT request |  remote-proxy | 2. open a tcp  |           |
    │       │        http/1.1"       │┌─────┐ ┌─────┐├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ >│┌─────┐ ┌─────┐├ ─ ─ ─ ─ ─ ─ ─ >│           │
    |─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─>|│     │ │     │|                          |│     │ │     │|                |           |
    │       │                        ││     │ │     ││3. SOCKS5 CONNECT response││     │ │     ││                │           │
    |  app  |                        |│ tcp │ │ tcp │|<─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─|│ tcp │ │ tcp │|                ||
    │       │                        ││     │ │     ││                          ││     │ │     ││blinded exchange│           │
    |       | blinded exchange data  |│     │ │     │|  blinded exchange data   |│     │ │     │|      data      |           |
    │       │< ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─>│└─────┘ └─────┘│< ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─>│└─────┘ └─────┘│< ─ ─ ─ ─ ─ ─ ─>│           │
    └ ─ ─ ─ ┘                        └ ─ ─ ─ ─ ─ ─ ─ ┘                          └ ─ ─ ─ ─ ─ ─ ─ ┘                └ ─ ─ ─ ─ ─ ┘

Handle request

The crucial part of the local-proxy is turn the http/https request into a handshake packet communicate with the remote-proxy, of course, the handshake packet could be any coustom packet, the handshake packet of Xproxy is taken from SOCKS5 - the SOCKS5 CONNECT request.

The request looks like 'GET[:port]/ http/1.1' is the http request, the request looks like 'CONNECT http/1.1' is the https request.

  1. the local-proxy extracts the domain and the port from the request line, and sends it to the remote-proxy as a SOCKS5 CONNECT request
  2. the remote-proxy opens a tcp connection to
  3. the remote-proxy replies a SOCKS5 CONNECT response to the local-proxy
  4. a) the local-proxy forwards the request to the remote-proxy if the request is http request; b) the local-proxy replies a 'HTTP/1.1 200 Connection Established' response to the app if the request is https request
  5. exchange data blindly

Each packet between the local-proxy and the remote-proxy is as below:

    ┌─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ + ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ~ ~ ~ ─ ─┐
    |encrypted payload length| encrypted payload     ......   |
    └─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ + ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ~ ~ ~ ─ ─┘

the payload length is a 4-byte unsigned integer, following a payload length data.


On Linux or macOS:

  • libssl-dev

OpenSSL-3.4.0 is precompiled as static library at openssl/lib, iOS and macOS (Intel and Apple Sillicon).


  1. % cd Xproxy
  2. % autoreconf --install
  3. % ./configure --with-openssl-include-path=-I/opt/homebrew/include --with-openssl-static-lib-path=/opt/homebrew/lib
  4. % make


Runing on Linux or macOS: % ./local-proxy -c ./local.conf


Runing on Linux or macOS: % ./remote-proxy -c ./remote.conf


  • udp proxy
  • more secure cipher-suit